You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "David Berger (Jira)" <ji...@apache.org> on 2019/10/06 08:18:00 UTC
[jira] [Updated] (RANGER-2604) Can't connect to Presto Pugin when
TLS is enabled on Presto
[ https://issues.apache.org/jira/browse/RANGER-2604?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Berger updated RANGER-2604:
---------------------------------
Description:
We are running Presto with TLS enabled [https://prestosql.github.io/docs.prestosql.io/current/security/tls.html#server-java-keystore]
When connecting to Presto via a JDBC client it works fine by enabling SSL and passing the trust store details like below
jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/Users/david.berger/git/tactical-edl-hr/presto/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123
But using the same connection string when setting up the Presto Repo in Ranger it doesn't work because Ranger assumes you're running Kerberos now, which isn't right.
*See the Ranger REST call we use to create the repo below:*
curl -iv -u ${RANGER_ADMIN_USER}:${RANGER_ADMIN_PWD} -H "Content-Type: application/json" -d '{"configs":
{"username": "LDAPADM", "password": "<PASSWORD>", "jdbc.driverClassName": "io.prestosql.jdbc.PrestoDriver", "jdbc.url": "jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/plugins_tls/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123"}
, "description": "PrestoTestRepo", "isEnabled": true, "name": "PrestoTestRepo", "type": "presto", "version": 1 }' -X POST ${URL}/service/public/v2/api/service
*The error in the Ranger log preventing us from logging in:*
2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:126) - Can't find keyTab Path : null
2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:130) - Can't find principal : null
2019-10-06 07:47:44,567 [timed-executor-pool-0] INFO org.apache.ranger.plugin.client.BaseClient (BaseClient.java:126) - Init Login: security not enabled, using username
was:
We are running Presto with TLS enabled [https://prestosql.github.io/docs.prestosql.io/current/security/tls.html#server-java-keystore]
When connecting to Presto via a JDBC client it works fine by enabling SSL and passing the trust store details like below
jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/Users/david.berger/git/tactical-edl-hr/presto/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123
But using the same connection string when setting up the Presto Repo in Ranger it doesn't work because Ranger assumes you're running Kerberos now, which isn't right.
*See the Ranger REST call we use to create the repo below:*
curl -iv -u ${RANGER_ADMIN_USER}:${RANGER_ADMIN_PWD} -H "Content-Type: application/json" -d '\{"configs": {"username": "LDAPADM", "password": "<PASSWORD>", "jdbc.driverClassName": "io.prestosql.jdbc.PrestoDriver", "jdbc.url": "jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/plugins_tls/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123"}, "description": "PrestoTestRepo", "isEnabled": true, "name": "PrestoTestRepo", "type": "presto", "version": 1 }' -X POST ${URL}/service/public/v2/api/service
*The error in the Ranger log preventing us from logging in:*
019-10-06 07:47:44,562 [timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:126) - *Can't find keyTab Path : null*019-10-06 07:47:44,562 [timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:126) - *Can't find keyTab Path : null*2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:130) - Can't find principal : null2019-10-06 07:47:44,567 [timed-executor-pool-0] INFO org.apache.ranger.plugin.client.BaseClient (BaseClient.java:126) - Init Login: security not enabled, using username2019-10-06 07:47:46,716 [timed-executor-pool-0] ERROR apache.ranger.services.presto.client.PrestoClient$2 (PrestoClient.java:213) - <== PrestoClient getCatalogList() :Unable to get the Database Listorg.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [SHOW CATALOGS]. at org.apache.ranger.services.presto.client.PrestoClient.getCatalogs(PrestoClient.java:190) at org.apache.ranger.services.presto.client.PrestoClient.access$100(PrestoClient.java:45) at org.apache.ranger.services.presto.client.PrestoClient$2.run(PrestoClient.java:211) at org.apache.ranger.services.presto.client.PrestoClient$2.run(PrestoClient.java:206) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:360) at org.apache.ranger.services.presto.client.PrestoClient.getCatalogList(PrestoClient.java:206) at org.apache.ranger.services.presto.client.PrestoClient.connectionTest(PrestoClient.java:497) at org.apache.ranger.services.presto.client.PrestoResourceManager.connectionTest(PrestoResourceManager.java:48) at org.apache.ranger.services.presto.RangerServicePresto.validateConfig(RangerServicePresto.java:48) at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:660) at org.apache.ranger.biz.ServiceMgr$ValidateCallable.actualCall(ServiceMgr.java:647) at org.apache.ranger.biz.ServiceMgr$TimedCallable.call(ServiceMgr.java:608) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)Caused by: java.sql.SQLException: Authentication failed: Access Denied: Invalid credentials at io.prestosql.jdbc.PrestoStatement.internalExecute(PrestoStatement.java:271) at io.prestosql.jdbc.PrestoStatement.execute(PrestoStatement.java:227) at io.prestosql.jdbc.PrestoStatement.executeQuery(PrestoStatement.java:76) at org.apache.ranger.services.presto.client.PrestoClient.getCatalogs(PrestoClient.java:173) ... 16 moreCaused by: io.prestosql.jdbc.$internal.client.ClientException: Authentication failed: Access Denied: Invalid credentials at io.prestosql.jdbc.$internal.client.StatementClientV1.requestFailedException(StatementClientV1.java:459) at io.prestosql.jdbc.$internal.client.StatementClientV1.<init>(StatementClientV1.java:135) at io.prestosql.jdbc.$internal.client.StatementClientFactory.newStatementClient(StatementClientFactory.java:24) at io.prestosql.jdbc.QueryExecutor.startQuery(QueryExecutor.java:46) at io.prestosql.jdbc.PrestoConnection.startQuery(PrestoConnection.java:700) at io.prestosql.jdbc.PrestoStatement.internalExecute(PrestoStatement.java:239) ... 19 more2019-10-06 07:47:46,719 [timed-executor-pool-0] ERROR apache.ranger.services.presto.client.PrestoResourceManager (PrestoResourceManager.java:50) - <== PrestoResourceManager.connectionTest Error: org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [SHOW CATALOGS].2019-10-06 07:47:46,719 [timed-executor-pool-0] ERROR org.apache.ranger.services.presto.RangerServicePresto (RangerServicePresto.java:50) - <== RangerServicePresto.validateConfig Error:org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [SHOW CATALOGS].2019-10-06 07:47:46,719 [timed-executor-pool-0] ERROR org.apache.ranger.biz.ServiceMgr$TimedCallable (ServiceMgr.java:610) - TimedCallable.call: Error:org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [SHOW CATALOGS].2019-10-06 07:47:46,720 [http-bio-6080-exec-11] ERROR org.apache.ranger.biz.ServiceMgr (ServiceMgr.java:198) - ==> ServiceMgr.validateConfig Error:org.apache.ranger.plugin.client.HadoopException: org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [SHOW CATALOGS].
> Can't connect to Presto Pugin when TLS is enabled on Presto
> -----------------------------------------------------------
>
> Key: RANGER-2604
> URL: https://issues.apache.org/jira/browse/RANGER-2604
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.0.0
> Reporter: David Berger
> Priority: Major
>
> We are running Presto with TLS enabled [https://prestosql.github.io/docs.prestosql.io/current/security/tls.html#server-java-keystore]
>
> When connecting to Presto via a JDBC client it works fine by enabling SSL and passing the trust store details like below
> jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/Users/david.berger/git/tactical-edl-hr/presto/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123
>
> But using the same connection string when setting up the Presto Repo in Ranger it doesn't work because Ranger assumes you're running Kerberos now, which isn't right.
>
> *See the Ranger REST call we use to create the repo below:*
> curl -iv -u ${RANGER_ADMIN_USER}:${RANGER_ADMIN_PWD} -H "Content-Type: application/json" -d '{"configs":
> {"username": "LDAPADM", "password": "<PASSWORD>", "jdbc.driverClassName": "io.prestosql.jdbc.PrestoDriver", "jdbc.url": "jdbc:presto://edl-hr-pr-ldap-presto.az.gdp-bigdata1.gdpdentsu.net:443/hive/default?SSL=true&SSLTrustStorePath=/plugins_tls/edl-hr-keystore-coordinator_trust.jks&SSLTrustStorePassword=turstpass123"}
> , "description": "PrestoTestRepo", "isEnabled": true, "name": "PrestoTestRepo", "type": "presto", "version": 1 }' -X POST ${URL}/service/public/v2/api/service
>
> *The error in the Ranger log preventing us from logging in:*
> 2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:126) - Can't find keyTab Path : null
> 2019-10-06 07:47:44,562 [timed-executor-pool-0] WARN org.apache.hadoop.security.SecureClientLogin (SecureClientLogin.java:130) - Can't find principal : null
> 2019-10-06 07:47:44,567 [timed-executor-pool-0] INFO org.apache.ranger.plugin.client.BaseClient (BaseClient.java:126) - Init Login: security not enabled, using username
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)